In a previous post, we provided information on how to protect your university from ransomware attacks. Here, we offer some advice on what to do if the worst happens and your university is attacked.

By Louise Schuster, AARNet’s Director, Cyber Security

A UK survey recently found that the majority of UK businesses hit by ransomware take a week or more to recover and suffer thousands of pounds damage a day. For 15% of those hit, the data encrypted by ransomware was not recoverable. In short, the impact of a ransomware attack on business operations can be significant.

Here are some steps you can take when faced with a ransomware attack:

Step 1. Validate the type of ransomware

If you can’t identify the ransomware, then there’s a chance it could be fake. In such cases, your files will not be encrypted; the attacker simply pops up a message which locks your screen. The ransom demand typically shows up inside a browser window and doesn’t let the user navigate away, or it locks the screen and displays a dialog box asking for an encryption key.

Step 2 – Follow your incident response plan

Having a clearly documented and agreed upon incident response plan that outlines in detail what steps the organisation will take to respond to a ransomware compromise (covering detection, containment, eradication and recovery) is critical for timely and effective remediation. The plan should be ‘tuned’ for your organisation and regularly tested to ensure it will work effectively.

In the absence of this plan, we recommend the following course of action, documenting the steps throughout this process.

1. Containment and scoping:

   • Immediately ensure that the infected machine(s) are shut down to prevent further encryption. Time is critical as the encryption process can take several hours, especially on larger file systems. Swift action can dramatically limit the impact on your organization.
   • Next, determine the scope of the impact. Is it just a few files on the local machine, or multiple files in various locations? Were any Network Share drives impacted? Where possible, the impact on the local machine should be performed through a “live cd” or other recovery disk, not with the infected operating system.
   • Perform a risk assessment. Important factors to consider include: The appropriate response risk tolerance of the organization, the potential impact of the hostage data, the impact on business continuity, whether a redundant system is available, and regulatory requirements.
   • Engage with your communications team to assist with preparing briefing sessions, media releases etc.

2. Recovery and Remediation options:

   • Attempt to recover the data. Having a comprehensive and effective backup process to facilitate restoration of systems to a state that preceded the ransomware infection is critical. Storing some level of backups offline (to ensure backups don’t become compromised and unrecoverable as well) is recommended. Backups should be tested regularly to ensure they are reliable and effective, and it’s important to ensure the system you are restoring onto is clean before taking any such restorative action.
   • If backups are not available, you will need to perform an impact assessment for the lost data and proceed with one of the following
   • Accept the data loss. If the value of the encrypted data is less than the ransom, then you should consider accepting the data loss. In this case, a full rebuild or factory reset of the affected device should occur, do not continue using it in its current state as additional malware may have accompanied the ransom ware.
   • Pay the ransom (not recommended). Lastly, the actual payment of the ransom demanded by attackers is something that does need to be considered. We cannot recommend this as strategy and it most definitely should not be given priority over a strong prevention, detection and response strategy as described above, but if all else fails, or if time is of the essence, it’s an option that has to be on the table.

Note: Cyber-insurance may provide some cover for costs incurred by ransomware infections. Ensure you understand the specific terms of your policy.

We would like to acknowledge Nick Ellsmore from Hivint for assisting with developing this advice.

Useful websites for more information:

CERT Australia

Scamwatch